Most organisations have already documented their appetite for different common decisions or business objectives. Segregation of duties, financing and deal limits, procurement criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organisations set risk appetites. Appetites or limits for different kinds of decisions and risks has been around for decades. Not all risks, but most of them.

So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern-day consultants tell us, the authors believe that any attempts in non-financial companies to aggregate risks into a single risk appetite statement is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.

After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions.

Instead of creating separate new risk appetite statements, risk managers should review existing Board level policies and procedures and identify:

• 
  
• significant decisions and risks that already have its appetites set. For example, a company may have a Board level policy that prohibits any business ventures with organisations that utilise child labour. Or it may have a requirement not to invest in high risk ventures above a certain ratio or executives have been delegated authority for any budgetary decisions of no more than 300 million.  In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
  
• for the decisions and risks where no appetite has been set by any of the existing policies or procedures, the risk manager should work with the process owners to develop risk limits and incorporate them into existing policies and procedures. Main risks can be divided into three groups: "zero tolerance" risks, acceptable within quantitative limits and acceptable within qualitative limits. This is the other 20%. Risk managers should use Monte-Carlo simulation, scenario analysis or decision trees to document risk appetites. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable.
  

We strongly believe that risk appetites should be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements. Also keep in mind, that risk appetite concept non-financial companies have inherited from regulators in banking sector. For banks risk appetite is used a regulator control mechanism. Sometimes we use the analogy of the dog’s leash.

Since most risk managers in non-financial companies are likely to be paid by the CEO and usually work for the management and not the regulator or even the shareholders, risk managers should probably view the concept of risk appetite from a management’s perspective.